The Treasury Inspector General for Tax Administration (TIGTA) recently released a report citing a need for improvements in software version control management for the Internal Revenue Service (IRS).
TIGTA found that although the IRS had made progress in automating its software versions review, it “is not effectively managing or controlling software versions on systems and applications to ensure that software is approved and up to date.” TIGTA also found that 50 percent of software versions installed on the IRS’ mainframe were unlisted on the Product Catalog and 21 percent of server software versions weren’t approved in the Product Catalog.
Lastly, unauthorized software had been installed on workstations within the IRS and older versions of software was never removed or replaced with newer versions of the software.
To clean up the controls management process, TIGTA recommended that the IRS CIO “create an enterprise-wide, integrated structure to centralize commercial-off-the-shelf software version tracking, currency, and management to include roles and responsibilities.”
TIGTA also recommended that the agency update policies and procedures for mainframe, server, and workstation software assets; and remove unauthorized software while documenting and approving risk acceptance for the use of older software versions.
The Enterprise Architecture Enterprise Standards Profile Product Catalog should be used in creating a plan to monitor and compare software running on the enterprise, TIGTA said.
“The IRS agreed with all of the recommendations and plans to integrate software version tracking into a centralized enterprise-wide program office with documented roles and responsibilities,” TIGTA wrote. IRS also agreed to monitor all versions of its software products on a semi-annual basis.